A Close Look at TeslaCrypt 3.0 Ransomware

TeslaCrypt is yet another ransomware taking the cyber world by storm. It is mostly distributed via a spear phishing email and through the Angler exploit kit. The Angler exploits vulnerability in Adobe Flash. The Angler exploit downloads a variant of the ransomware upon success.

Infection Indicator/s
Machines infected by TeslaCrypt will usually have the following files present in almost every directory:

+REcovER+[Random]+.html

+REcovER+[Random]+.txt

+REcovER+[Random]+.png

The recovery instructions for the encrypted files can be found inside these files.

TeslaCrypt ransom note

Technical DetailsNote: The file used for this analysis has an MD5 value of 1028929105f1e6118e06f8b7df0b3381.

The malware starts by ensuring it’s in its intended directory. For this sample, it checks if it is located in the Documents directory. If it’s not, it copies itself to that directory and executes its copy from there. It deletes itself after executing the copy.

The ransomware creates multiple threads that do the following:

Monitors processes and terminates those that contain the following strings:

taskmg

regedi

procex

msconfi

cmd

Contacts the C&C server and sends certain information like system information and the unique system ID.

File encryption routine

Obfuscation
TeslaCrypt is not immune to recycling code from older malware families. The initial code is an encryption of the compressed binary. Upon decryption, the malware will call the RtlDecompressBuffer API and finally write the decompressed data into its own memory.

Call to RtlDecompressBuffer

The malware also uses a technique to obscure API calls by using the hash of the API name and passing it to a function that retrieves the API address.

The malware passes an API hash to a function that returns the procedure address of the API.

The same code but labeled properly in a disassembler.

File Encryption
TeslaCrypt uses AES encryption and will send one part of the key to its C&C server, which will render the files irrecoverable on its own.

It will start by checking if the system already has its own recovery key. If not, it will begin generating the necessary encryption keys. These keys will be used for the encryption routine.

Checks if the recovery key already exists and generates it if it doesn’t.

TeslaCrypt will traverse all fixed, remote and removable drives for files with the following extensions:

Once a file passes the extension check, the malware will proceed with the encryption. The ransomware variant first checks for its encryption header. If the file is not yet encrypted, it will proceed with the encryption.

Encrypted files’ headers contain data that includes – but isn’t limited to – the global recovery key, the global public key, the original file size and the encrypted data itself.

Sample of an encrypted file

C&C Servers
The malware tries to connect to one of the following domains:

hxxp://naturstein-schubert.de

hxxp://csskol.org/wp-content

hxxp://casasembargada.com

hxxp://mahmutersan.com.tr

hxxp://forms.net.in

hxxp://kknk-shop.dev.onnetdigital.com

If it manages to connect to a server, it then sends a POST request using encoded data. The data it will send includes the following:

The shared key for the encryption

Bitcoin address

OS version

TeslaCrypt version

Unique ID for the infected system

HttpSendRequest with the encrypted data

Other Details
To ensure the malware only has one instance running, it creates a mutex as “8_8_8_8.”

CreateMutex function

It creates an auto start registry entry to ensure execution every startup.

Autostart registry

It also adds a policy in the registry to remove permission restrictions on network drives, essentially allowing any user to access these network drives.

EnableLinkedConnections registry value

Interestingly enough, though, it appears the gang behind TeslaCrypt has had a change of heart and have publicly shared their master decrypt key. Before they shut down, the now-defunct payment site required a minimum of $500 in the form of bitcoin.

TeslaCrypt payment page

Advanced threat defense products like those used in this analysis help avoid ransomware infection. The advanced solutions catch the emerging threat before it can do any damage. You’ve got two great lines of defense: The first is via email and the next is your network.

Advanced email defense solutions like ThreatSecure Email are designed to catch malware that evades traditional defenses. It’s a great tool to help stop attacks by detecting phishing links and exploits that deliver ransomware. That can stop TeslaCrypt from encrypting and taking the data from you.

ThreatTrack Security Labs is the power behind the malware analysis, detection and remediation technologies developed by ThreatTrack Security. From facilities in the United States and the Philippines, our team of cybersecurity professionals, malware researchers, engineers and software developers work around the clock to discover and combat Advanced Persistent Threats, targeted attacks, Zero-days and other sophisticated malware. The company develops advanced cybersecurity solutions that Expose, Analyze and Eliminate the latest malicious threats, including its ThreatSecure advanced threat detection and remediation platform, ThreatAnalyzer malware behavioral analysis sandbox, ThreatIQ real-time threat intelligence service, and VIPRE business antivirus endpoint protection. Learn more about ThreatTrack Security.